Cryptocurrency Mining?

Reply
L7 Applicator

Re: Cryptocurrency Mining?

Best of luck. Also CB isnt catching everything since something is running and attempting to make those call outs. If you have a next gen AV package, it might be worth a shot to install it. If you dont I like to use Immunet. Its free, cloud based, and backed by some good intel.

Highlighted
L4 Transporter

Re: Cryptocurrency Mining?

Otakar.Klier

Thank you guys for the responses.

Even though I feel this demonstrates that I am still learning and need to focus more time in reviewing our profiles, wanted to post this update for record, and others.

 

After reviewing with terrific PA support, I believe the issue started with the fact that our Vulnerability profile was set to default (long before I got here).  Therefore, the threat in question was processed as its default action, alert (instead of reset both).

 

threat39277.jpg

 

threataction.jpg

 

Seems that the traffic was able to pass and then the server in question is an Oracle Weblogic server that was not patched to resolve this exploit!

 

Since we had Carbon Black in place, the threat was unable to run.  One of the behaviors was a powershell script would try to run scheduled or periodically and we blocked powershell to run and monitored its attempts.

 

We corrected our vulnerability profile, restored the Oracle server from backup (previous to exploit) and so far we have no other powershell execution attempts and see that the threat is now identified and blocked at the firewall (reset both).

 

 

L6 Presenter

Re: Cryptocurrency Mining?


@OMatlock wrote:

Otakar.Klier

Thank you guys for the responses.

Even though I feel this demonstrates that I am still learning and need to focus more time in reviewing our profiles, wanted to post this update for record, and others.

 

After reviewing with terrific PA support, I believe the issue started with the fact that our Vulnerability profile was set to default (long before I got here).  Therefore, the threat in question was processed as its default action, alert (instead of reset both).

 

threat39277.jpg

 

threataction.jpg

 

Seems that the traffic was able to pass and then the server in question is an Oracle Weblogic server that was not patched to resolve this exploit!

 

Since we had Carbon Black in place, the threat was unable to run.  One of the behaviors was a powershell script would try to run scheduled or periodically and we blocked powershell to run and monitored its attempts.

 

We corrected our vulnerability profile, restored the Oracle server from backup (previous to exploit) and so far we have no other powershell execution attempts and see that the threat is now identified and blocked at the firewall (reset both).

 

 


 

I think this highlights an important fact...It's not necessarily always best to accept a "standard config."  At my company I went ahead an made the decision to override the defaults of all "Critical and High" signatures to a "reset."  Just for this very reason.  I'd rather respond to "why is something being blocked" versus "how did we get compromised.

 

Your scenario does highlight a positive though...Defense-in-Depth.  While one source of protection may not be sufficient, either from misconfiguration or a straight failure, others should always be in-place to catch what might be missed.

L7 Applicator

Re: Cryptocurrency Mining?

As @Brandon_Wertz mentioned I highly recommend overriding severity Critical and High threats to simply reset the connection.  In some cases I've even assigned medium severity to reset-both as well. In my experiance it hasn't caused a lot of issues; and even when it has it's an easy discussion to have. "Hey I can't do this thing" is pretty easy to explain away; "Hey my computer/server is doing this thing" is a lot harder of a conversation. 

L7 Applicator

Re: Cryptocurrency Mining?

Hello,

I have to agree with @BPry and @Brandon_Wertz, its time to maybe review your settings. Personally I have anything medium and higher set to block.

 

Regards,

L4 Transporter

Re: Cryptocurrency Mining?

My last comment about this.  :)

I believe this article is a good summary of what happened to us.

https://arstechnica.com/information-technology/2018/01/hackers-turn-weblogic-peoplesoft-servers-into...

 

Exploited our flawed vulnerability profile, unpatched Oracle Weblogic server to use for Cryptomining.  

We did find the xmrig executable on our server, so feel pretty sure that was for mining.

 

Even though my last post does not mention, we did also patch our Oracle Weblogic server and have resolved this problem at firewall and server.

L7 Applicator

Re: Cryptocurrency Mining?

Bummer dude, it always sucks. But at least you caught it and stopped it.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!